1. Field
This invention relates generally to the fields of data encoding and authentication. The invention is suited for, but not limited to, use in situations where a user is required to enter an identifier or code (eg a password, username etc) which is used to validate their identity prior to completing an operation. The operation might be any type of operation. The invention is also suited for, but not limited to, verification of the user on a mobile device such as a smartphone or tablet computer. The invention can also be used to encode any input which may be entered into an electronic device using a virtual keyboard. Thus, the invention is useful for but not limited to use in authentication applications.
2. Related Art
Security of electronic devices is a significant issue. Personal or commercially sensitive data, for example, is often encoded in some way to deter unauthorised persons from reading it. One common situation where a user's input needs to be encoded is during an authentication process.
Authentication techniques are used when an individual's identity needs to be verified prior to being allowed to perform an act or gain access to some controlled or managed resource such as a device, building, a computer system, a financial account, a service etc. One common approach to authentication is to record some pre-selected identifier comprising a code or combination of symbols which is then maintained in secrecy in a secure location and available only to authorised parties. The invention described herein is not intended to be limited with respect to the type, length or format of the user's identifier.
After the identifier has been selected and assigned to an authorised individual (or group of individuals), the user is required to supply the correct identifier each time he requests permission to perform the controlled act or gain access to the resource or service. The user's inputted identifier is compared with the pre-stored version. If the input matches the stored identifier then the user's identity is deemed to have been verified and access is granted. Alternatively, if the input does not match the pre-stored version then access is denied.
The use of PINs has become commonplace, especially in relation to banking and financial applications. Customers have become accustomed to, and trusting of, the use of PIN-based verification. Financial institutions also favour PIN-based authentication as it provides a more secure form of verification than, for example, a signature. Further still, when a transaction requires authentication via a PIN the liability for any fraud resulting from that transaction is deemed to lie with the user who has supplied the PIN. This is in contrast to ‘card not present’ transactions such as on-line transactions where the liability remains with the issuing financial institution.
Another authentication approach involves using a device to capture biometric data relating to the unique physical or behavioural attributes of the individual such as iris pattern, palm geometry or fingerprint. An advantage of biometric authentication is that users do not need to remember passwords or codes, and the required information is always carried inherently by the individual wherever they go so no additional hardware such as tokens need to be carried. Therefore, biometric authentication offers a convenient and simple authentication solution which is attractive to end users.
However, despite the attractions of biometric authentication, it has yet to be widely adopted within certain industries such as the banking industry. One reason for this is that the infrastructure of the banking industry is geared towards verification using a 4 digit PIN. This includes payment terminals, ATMs, switches, and the apparatus at both the acquiring and issuing banks, which would all need to be replaced or adapted at significant cost in order to move from PIN-based to biometric authentication. Other concerns arise in relation to the security of biometric data which may be captured from non-secure sources. For example, fingerprints can be ‘lifted’ from public places, voices can be recorded. In addition, while it is easy to change a stored PIN or identifier it is not possible for an individual change biometric data such as fingerprint, iris pattern etc.
These concerns can be reduced by the use of two or three-factor authentication wherein at least two of the following are used during authentication:                What you know (eg PIN, password or other identifier)        Who you are (eg fingerprint, retina pattern, face or voice patterns)        What you have (eg smart card, security token, mobile device)        
Therefore, a system which requires a user to authenticate with both an identifier and biometric data on a device owned or operated by the user would provide enhanced security.
With respect to mobile technology, more and more people are using handheld computing devices such as smart phones and tablet computers etc for identity-sensitive operations such as banking. However, such devices are notoriously insecure and passwords, PINs and other valuable authentication data can be compromised by third parties. Therefore, there is a significant challenge in providing an authentication solution which is secure even when used on a mobile device.
One such solution has been disclosed in WO 2014/013252 which teaches the concept of sending an image of a scrambled keypad from a server to a user's device (PC, mobile phone, tablet etc). An operable, functional keypad is generated on the device and the image is displayed on the screen in the same position as the keypad. The image is superimposed over the keypad such that it is hidden from view yet still functional in the background. The positions of the underlying keypad keys do not correspond to the positions of the same ‘keys’ depicted in the image. To the user, only the image of the scrambled keypad is visible and thus when the user touches or clicks on part of the image to select an input, the operable keypad interprets this input differently and an encoded version of the user's input is received into memory on the device. Thus, as the user's real identifier (eg PIN) is never entered into the keyboard buffer or elsewhere on the device it cannot be fraudulently obtained from it. The encoded identifier is then transmitted to a remote server which knows the order of keys depicted in the keypad image, and can thus decode the user's input. In effect, a mapping is created between the keypad configurations, and this mapping is used to both encode and decode the identifier. This solution provides significant advantages over other authentication techniques, because it does not require the user to remember a different identifier, does not require the use of special or additional hardware, and avoids entry of the user's real identifier into an insecure device.
However, keypads are typically designed and used for applications such as access control for buildings or electronic devices. Therefore, a keypad does not possess the full range of keys and functionality provided by a keyboard. For example, while a keyboard would include a space bar, punctuation keys, a return key, a backspace/delete key, modifier keys (eg shift), currency keys etc, a keypad would not. As a result, while a keypad is suitable for use with the input of short or numeric-only codes such as PINs, it does not lend itself for use with identifiers comprising non-numeric symbols such as usernames, passwords, pictorial identifiers etc. Therefore, its use is restricted as many authentication systems involve the use of at least partially non-numeric identifiers.
Moreover, a keypad cannot be used for entering general purpose input into an electronic device such as the typing of letters, narrative, emails and other communications etc. because it does not comprise the necessary range of keys. Therefore, a solution is required which would enable any type of input to be encoded/decoded, not just passwords, PINs etc for verification purposes.